Back to ProposalForge
Privacy

Privacy Policy

What we collect, why we collect it, and what rights you have over your data — written for humans, not lawyers.

Effective May 9, 2026Last reviewed May 9, 2026

1. Overview

ProposalForge (“we,” “us,” or “ProposalForge”) is a software-as-a-service product that helps freelancers, consultants, and agencies generate, share, and track business proposals using AI. This Privacy Policy explains how we handle personal information when you create an account, use the product, or visit our website.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, ProposalForge is the “data controller” of the information you provide directly. When you use ProposalForge to process information about your clients (e.g., names and emails on a proposal), you are the controller and we act as a processor on your behalf.

2. Data we collect

Information you give us

  • Account data: email address, hashed password (or Google OAuth identifier), full name, optional profile photo.
  • Brand data: company name, logo, tagline, contact details, primary/secondary colors used to brand your proposals.
  • Proposal content: titles, sections, pricing, terms, client names, client emails, signatures, and any text you type into the editor.
  • Billing data: name, billing address, and last 4 digits of your card. Full card numbers are handled by Stripe; we never see or store them.
  • Support and feedback: messages you send to us, including any attachments.

Information we collect automatically

  • Usage events: pages visited, features used, time spent, and approximate location (city-level) inferred from IP.
  • Device and connection: browser, operating system, referring URL, language preference.
  • Cookies and similar technologies: session cookies for authentication, plus optional analytics and preference cookies. See our Cookie Policy for the full inventory.
  • Proposal viewer events: when a client opens a proposal we recorded a view event. The recipient's IP address is hashed with SHA-256 before storage and is never displayed in raw form.

3. How we use data

We use data to:

  • Provide, operate, and improve the product;
  • Generate AI-assisted proposals at your request, including streaming drafts, regenerating sections, and producing PDFs;
  • Send transactional emails (account confirmation, password reset, proposal delivery, billing receipts);
  • Process subscriptions, charges, and refunds via Stripe;
  • Detect, prevent, and respond to security incidents, abuse, and fraud;
  • Comply with legal obligations and enforce our Terms.

We do not sell or rent personal information, and we do not use the content of your proposals to train any AI model.

4. Sharing & subprocessors

We share data only with vendors needed to run the service. Each vendor is bound by a written data processing agreement and processes data only on our instructions.

  • Supabase, Inc. — managed PostgreSQL, authentication, and file storage. Data is stored in Singapore.
  • Vercel, Inc. — application hosting, edge middleware, and CDN. Data may transit through US-based servers.
  • Anthropic, PBC— AI inference for proposal generation. Per Anthropic's commercial terms, your prompts and completions are not used to train their models.
  • Stripe, Inc. — subscription billing. Stripe is the controller for payment-card data.
  • Resend (Drift, Inc.) — transactional email delivery.
  • Cloudflare, Inc. — DNS, DDoS protection, and edge caching for our marketing pages.

We may also share information when legally required (subpoena, court order), to protect rights and safety, or in connection with a merger, acquisition, or asset sale — with notice to affected users where legally permissible.

5. AI processing

Proposal text you enter (briefs, sections, client information) is sent to Anthropic's Claude model to generate or revise content. Anthropic processes the prompt and returns the response; per its commercial terms it does not retain or train on the data. We do not send your data to any other AI provider, and we do not use your data to fine-tune any model of our own.

AI output may be inaccurate. You are responsible for reviewing every proposal before sending it to a client. See our AI Disclaimer for details.

6. Retention

  • Account data: kept while your account is active; deleted within 30 days of account closure.
  • Proposals you author: kept while your account is active. You may delete individual proposals at any time from the dashboard.
  • Proposal view events: kept for the lifetime of the parent proposal and deleted when it is deleted (cascade).
  • Billing records: retained for 7 years to satisfy tax and accounting obligations.
  • Backups: encrypted backups expire on a 30-day rolling window.

7. Security

See our Security overview for the full controls list. Highlights: TLS 1.2+ in transit, AES-256 at rest, row- level security on every table, hashed and salted credentials, HIBP leaked-password screening at signup, hourly database backups, and principle-of-least-privilege access for staff.

8. GDPR / EEA / UK rights

If you are in the EEA, UK, or Switzerland you have the following rights, exercisable free of charge by emailing [email protected]:

  • Access: a copy of the personal data we hold about you;
  • Rectification: correction of inaccurate data;
  • Erasure: deletion of your account and associated data;
  • Restriction: pause specific processing;
  • Portability: a machine-readable export of your proposals and account data;
  • Objection: opt out of processing based on legitimate interests;
  • Withdraw consent: where processing is based on consent (e.g., analytics cookies), you can withdraw at any time via our cookie preferences.

Lawful bases: contract performance (account, billing), consent (analytics, marketing), and legitimate interest (security, fraud prevention, product improvement). You have the right to lodge a complaint with your local data protection authority.

9. California (CCPA / CPRA) rights

California residents have the right to know what personal information we have collected, the right to delete it, the right to correct it, the right to limit use of sensitive personal information, and the right to opt out of “sale” or “sharing” under the CCPA/CPRA. Submit requests to [email protected].

We do not sell or share personal informationin the sense defined by the CCPA/CPRA. We do not engage in cross-context behavioral advertising. To make this explicit and to satisfy the statutory disclosure obligations, our footer includes a “Do Not Sell or Share My Info” link that opens this section.

We will not discriminate against you for exercising your privacy rights. We do not knowingly collect or sell the personal information of consumers under 16.

10. Children

ProposalForge is not directed to children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with information, please email [email protected] and we will delete it.

11. Changes

We may update this policy. Material changes will be announced via email and an in-product notice at least 14 days before they take effect. The “Effective” date at the top of this page always reflects the current version.

12. Contact

Privacy questions: [email protected].
General support: [email protected].